Some healthcare organizations have received postcards that appear to be from the OCR that they are required to participate in a “Required Security Risk Assessment” and they are to send their risk assessment to a website.
This is not from the OCR or the U.S. Department of Health and Human Services, it is an advertisement from a private company. Please alert your workers and always verify that websites and email addresses are safe before clicking or submitting any information. Communications via email from HHS/OCR will end in @hhs.gov. The official website for HHS/OCR is www.hhs.gov/ocr.
If you receive a postcard or other communication like this, report it to HHS right away – https://www.hhs.gov/ocr/about-us/contact-us/index.html